How to identify whether a passkey is created from an Apple device (iCloud Keychain)

Question

Created Oct ’23

Replies 2

Boosts 0

Views 1.1k

Participants 3

Hi, I am currently implementing the ability to allow users to add a Passkey to their account by using the webuathn api. My current issue is that I would like to identify what type of device/authenticator the user has used to create their passkey so that we can automatically set a nickname for the passkey for the user to help the user experience (E.g. if a user has setup a passkey on an Apple device, we would auto set the nickname as iCloud Keychain so its clear to the user that the passkey is not specific to just the device they set it up on).

After some reading, it seems like when trying to create a new passkey via an Apple device, it will not send a populated attestation with any sort of attestation statement, aaguid, fmt etc... and this is what I have been seeing in my testing of my implementation.

My question is, instead of using an aaguid, is there an alternative way to identify that the user has created a passkey via iCloud Keychain? I can see that when creating a passkey to my Google account via my iPhone/Macbook, they seem to be able to identify when a passkey is created on an Apple Device and labels it automatically as ("iCloud Keychain") and this applies to both doing it via platform and cross-platform. I essentially want to be able to achieve this but I'm not sure how this can be done.

Boost

Answer 1

Apple Designer OP

Apple

Oct ’23

There is not a way to directly identify the source of a passkey, but you can make a good guess in most cases. The WebAuthn spec currently says that any registration response without an attestation statement should set the AAGUID to all zero. Most passkey authenticators today don't follow the spec and will return their AAGUID even when no attestation statement is provided. This provides a weak form of identification (i.e. it's not signed/attested, so it's technically possible to lie, though there's currently little motivation to do so). iCloud Keychain is one of the few (maybe the only?) passkey authenticator that currently follows the spec and will use an all-zero AAGUID.

Identification is a hot topic in the WebAuthn spec currently and the situation will continue to evolve, but there's enough information available today for motivated sites to build heuristics.

0

Answer 2

hisgarden OP

Oct ’23

This community driven site https://github.com/passkeydeveloper/passkey-authenticator-aaguids/tree/main may provide some hint on source of a passkey if it is followed by passkeys provider. As it stated in README, It is a community-driven list of known passkey provider AAGUIDs to assist with naming passkeys in end user passkey management interfaces (e.g. account settings). it is purely for UX, This does not replace FIDO's Metadata Service (MDS), which should continue to be used for all authoritative security details about FIDO authenticators. Some AAGUIDs in this list may not appear in FIDO MDS.

0